Impact
Unauthenticated PHP Object Injection is present in the WordPress Booktics plugin up to version 1.0.21. An attacker can manipulate serialized PHP data accepted by the plugin without any user authentication, allowing the creation of crafted objects that may lead to arbitrary code execution or compromise of the hosting environment. The vulnerability is listed under CWE-502 and carries a CVSS score of 9.8, indicating a severe impact on confidentiality, integrity, and availability of the affected site.
Affected Systems
The vulnerability affects installations of the WordPress Booktics plugin version 1.0.21 and earlier. This includes any WordPress site that has not upgraded from the original release to 1.0.22 or later. The plugin, developed by Arraytics, is commonly used to manage booking and calendar features within WordPress.
Risk and Exploitability
The high CVSS score reflects the potential for exploitation by unauthenticated users. Because no EPSS score is available, the current exploitation probability is unknown, but the absence of a KEV listing suggests no known public exploits yet. The likely attack vector would involve delivering specially crafted input through the plugin’s publicly accessible endpoints, enabling execution of arbitrary PHP objects.
OpenCVE Enrichment